A game of OpenTTD is in progress...

Posted by
Mikuso

Buying WinRAR

WinRar I’m almost at the end of my 40-day trial now, and I really like WinRAR - so I’ve decided to buy a licence. The question is - where to buy it from?

RARLAB doesn’t make it easy. They have countless “dealers” in many countries across several continents. For each country, the dealers are broken down into “Distributors” and “Resellers”. I can’t actually count them all because RARLAB will only show me dealers local to my own continent (IP geolocation magic).

I managed to get a list of dealers in the USA from Google’s cache. The going rate seems to be about $29 USD for a single user (≈ £20 GBP). This seems quite reasonable, but there was no mention of taxes (and I’m sure my bank can’t wait to charge me a hidden foreign transaction fee).

So let’s take a look at the prices from the UK dealers.

Dealer Single User Licence Price
(incl taxes)
Roche GB (Distributor) £27.78
qbs software (Reseller) £28.58
grey matter (Reseller) £28.58
SHI International (Reseller) N/A (MOQ 2000)

It looks like the best deal in the UK is from Roche. It’s not as competitive as the US price, but here comes the bit where this blog post finally becomes blogworthy…

I noticed that Roche uses an ancient piece of eCommerce software called Actinic (specifically, version 10.0.2 according to their catalog blob file). I’ve had several years of commercial experience developing middleware and extensions for Actinic and generally just hacking it to bits. I know this software more intimately than a Mexican knows tacos.

I can tell you that the Actinic version used by Roche is vulnerable to several LFI and information disclosure exploits. It also has a remote diagnostics backdoor which reveals an awful lot of server/software configuration information (and best of all, the username & password are hard-coded and identical across every version). A lot of these problems arise as a result of Actinic’s desire to needlessly upload plain text configuration files within the webserver’s document root. Today, I’ll be probing one of my favourite Actinic configuration files - the discounts file.

Have a little peek yourselves. The discounts file just contains a simple Perl data structure and a checksum on the first line. The checksum is calculated as the sum of the ordinal values of each remaining character within the file - but that’s not the interesting bit. As the name implies, the discounts file defines all of the possible discounts which can be redeemed. These discounts can take many forms, e.g. “Buy X of Y, get Z free” or “X percent off when you spend more than Y”. The most rewarding ones, though, are usually the ones which require coupon codes to activate.

As you may be able to glean from the linked file, there is a 25% discount called “WinRAR Educational Discount” which requires a coupon code to redeem. The coupon is shown here as a series of 32 hexadecimal digits - 70f0befcd7daa8085f10ee9f4911318f.
If you guessed that this is a MD5-hash of the coupon code string - you’re right!

A quick Google search is always a good start when you’re given an unsalted MD5 hash.

winrared.png

Bingo! The coupon code is WINRARED.

Anyway, I’m going to wrap this post up now - but rest assured, I got a fair deal when I bought WinRAR.

roche-order.png

Next week: How to buy WinZIP.

3 Responses to “Buying WinRAR”

  1. John writes:

    I cannot wait for the article on buying WinZIP that will be posted today!

  2. John writes:

    Hey, how is WinRar??

  3. Mikuso writes:

    How isn’t it?

Leave a Reply